Open Stack

Fri Sep 13 13:24:36 UTC 2019

Hi Donny, following are the rules:

$ openstack security group list --project admin
+--------------------------------------+---------+------------------------+----------------------------------+------+
| ID                                   | Name    | Description            |
Project                          | Tags |
+--------------------------------------+---------+------------------------+----------------------------------+------+
| d0136b0e-ee51-461c-afa0-c5adb88dd0dd | default | Default security group |
68e3942285a24fb5bd1aed30e166aaee | []   |
+--------------------------------------+---------+------------------------+----------------------------------+------+

$ openstack security group rule list d0136b0e-ee51-461c-afa0-c5adb88dd0dd
+--------------------------------------+-------------+----------+------------+--------------------------------------+
| ID                                   | IP Protocol | IP Range | Port
Range | Remote Security Group                |
+--------------------------------------+-------------+----------+------------+--------------------------------------+
| 38394345-3e44-4284-a519-cdd8af020f30 | tcp         | ::/0     | 22:22
 | None                                 |
| 40881f76-c87f-4685-b3af-c3497dd44837 | None        | None     |
 | d0136b0e-ee51-461c-afa0-c5adb88dd0dd |
| 56d4ae52-195e-48df-871e-dc70b899b7ba | None        | None     |
 | d0136b0e-ee51-461c-afa0-c5adb88dd0dd |
| 759edd06-b698-45ca-94cd-44e0cc2cc848 | ipv6-icmp   | None     |
 | None                                 |
| 762effae-b8e5-42ac-ba99-e85a7bc42455 | tcp         | ::/0     | 22:22
 | None                                 |
| 81f3588d-4159-4af2-ad50-ff6b76add9cf | ipv6-icmp   | None     |
 | None                                 |
+--------------------------------------+-------------+----------+------------+--------------------------------------+

$ openstack security group rule show 759edd06-b698-45ca-94cd-44e0cc2cc848
+-------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field             | Value

                                                          |
+-------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| created_at        | 2019-09-03T16:51:41Z

                                                           |
| description       |

                                                          |
| direction         | egress

                                                           |
| ether_type        | IPv6

                                                           |
| id                | 759edd06-b698-45ca-94cd-44e0cc2cc848

                                                           |
| location          | Munch({'project': Munch({'domain_id': 'default',
'id': u'68e3942285a24fb5bd1aed30e166aaee', 'name': 'admin', 'domain_name':
None}), 'cloud': '', 'region_name': 'RegionOne', 'zone': None}) |
| name              | None

                                                           |
| port_range_max    | None

                                                           |
| port_range_min    | None

                                                           |
| project_id        | 68e3942285a24fb5bd1aed30e166aaee

                                                           |
| protocol          | ipv6-icmp

                                                          |
| remote_group_id   | None

                                                           |
| remote_ip_prefix  | None

                                                           |
| revision_number   | 0

                                                          |
| security_group_id | d0136b0e-ee51-461c-afa0-c5adb88dd0dd

                                                           |
| tags              | []

                                                           |
| updated_at        | 2019-09-03T16:51:41Z

                                                           |
+-------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

$ openstack security group rule show 81f3588d-4159-4af2-ad50-ff6b76add9cf
+-------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field             | Value

                                                          |
+-------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| created_at        | 2019-09-03T16:51:30Z

                                                           |
| description       |

                                                          |
| direction         | ingress

                                                          |
| ether_type        | IPv6

                                                           |
| id                | 81f3588d-4159-4af2-ad50-ff6b76add9cf

                                                           |
| location          | Munch({'project': Munch({'domain_id': 'default',
'id': u'68e3942285a24fb5bd1aed30e166aaee', 'name': 'admin', 'domain_name':
None}), 'cloud': '', 'region_name': 'RegionOne', 'zone': None}) |
| name              | None

                                                           |
| port_range_max    | None

                                                           |
| port_range_min    | None

                                                           |
| project_id        | 68e3942285a24fb5bd1aed30e166aaee

                                                           |
| protocol          | ipv6-icmp

                                                          |
| remote_group_id   | None

                                                           |
| remote_ip_prefix  | None

                                                           |
| revision_number   | 0

                                                          |
| security_group_id | d0136b0e-ee51-461c-afa0-c5adb88dd0dd

                                                           |
| tags              | []

                                                           |
| updated_at        | 2019-09-03T16:51:30Z

                                                           |
+-------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

On Fri, Sep 13, 2019 at 10:16 AM Donny Davis <donny at fortnebula.com> wrote:

> Security group rules?
>
> Donny Davis
> c: 805 814 6800
>
> On Thu, Sep 12, 2019, 5:53 PM Lucio Seki <lucioseki at gmail.com> wrote:
>
>> Hi folks, I'm having troubles to ping6 a VM running over DevStack from
>> its hypervisor.
>> Could you please help me troubleshooting it?
>>
>> I deployed DevStack with NEUTRON_CREATE_INITIAL_NETWORKS=False,
>> and manually created the networks, subnets and router. Following is my
>> router:
>>
>> $ openstack router show router1 -c external_gateway_info -c
>> interfaces_info
>>
>> +-----------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
>> | Field                 | Value
>>
>>
>>                                                                      |
>>
>> +-----------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
>> | external_gateway_info | {"network_id":
>> "b87048ed-1be9-4f31-8d7e-fe74921aeec4", "enable_snat": true,
>> "external_fixed_ips": [{"subnet_id":
>> "28a00bc3-b30b-456f-b26a-44b50d37183f", "ip_address": "10.2.0.199"},
>> {"subnet_id": "a9729beb-b297-4fec-8ec3-7703f7f6f4bc", "ip_address":
>> "fd12:67:1::3c"}]} |
>> | interfaces_info       | [{"subnet_id":
>> "081e8508-4ceb-4aaf-bf91-36a1e22a768c", "ip_address": "fd12:67:1:1::1",
>> "port_id": "75391abd-8ac8-41f8-acf8-3dfaf2a6b08f"}]
>>
>>                               |
>>
>> +-----------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
>>
>> I'm trying to ping6 the following VM:
>>
>> $ openstack server list
>>
>> +--------------------------------------+---------+--------+------------------------------------------+--------+--------+
>> | ID                                   | Name    | Status | Networks
>>                             | Image  | Flavor |
>>
>> +--------------------------------------+---------+--------+------------------------------------------+--------+--------+
>> | 938854d0-80e9-45b2-bc29-8fe7651ffa93 | manila1 | ACTIVE |
>> private1=fd12:67:1:1:f816:3eff:fe0e:17c3 | manila | manila |
>>
>> +--------------------------------------+---------+--------+------------------------------------------+--------+--------+
>>
>> I intend to reach it via br-ex interface of the hypervisor:
>>
>> $ ip a show dev br-ex
>> 9: br-ex: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state
>> UNKNOWN group default qlen 1000
>>     link/ether 0e:82:a1:ba:77:4c brd ff:ff:ff:ff:ff:ff
>>     inet6 fd12:67:1::1/64 scope global
>>        valid_lft forever preferred_lft forever
>>     inet6 fe80::c82:a1ff:feba:774c/64 scope link
>>        valid_lft forever preferred_lft forever
>>
>> The hypervisor has the following routes:
>>
>> $ ip -6 route
>> fd12:67:1:1::/64 via fd12:67:1::3c dev br-ex metric 1024 pref medium
>> fe80::/64 dev ens3 proto kernel metric 256 pref medium
>> fe80::/64 dev br-ex proto kernel metric 256 pref medium
>> fe80::/64 dev br-int proto kernel metric 256 pref medium
>> fe80::/64 dev tapa5cf4799-9f proto kernel metric 256 pref medium
>>
>> And within the VM has the following routes:
>>
>> root at ubuntu:~# ip -6 route
>> root at ubuntu:~# ip -6 route
>> fd12:67:1::/64 via fd12:67:1:1::1 dev ens3 metric 1024 pref medium
>> fd12:67:1:1::/64 dev ens3 proto kernel metric 256 expires 86360sec pref
>> medium
>> fe80::/64 dev ens3 proto kernel metric 256 pref medium
>> default via fe80::f816:3eff:feb3:bd56 dev ens3 proto ra metric 1024
>> expires 260sec hoplimit 64 pref medium
>>
>> Though the ping6 from VM to hypervisor doesn't work:
>> root at ubuntu:~# ping6 fd12:67:1::1 -c4
>> PING fd12:67:1::1 (fd12:67:1::1): 56 data bytes
>> --- fd12:67:1::1 ping statistics ---
>> 4 packets transmitted, 0 packets received, 100% packet loss
>>
>> I'm able to tcpdump inside the router1 netns and see that request packet
>> is passing there, but can't see any reply packets:
>>
>> $ sudo ip netns exec qrouter-5172472c-bbe7-4907-832a-e2239c8badb4 tcpdump
>> -l -i any icmp6
>> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
>> listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144
>> bytes
>> 21:29:29.351358 IP6 fd12:67:1:1:f816:3eff:fe0e:17c3 > fd12:67:1::1:
>> ICMP6, echo request, seq 0, length 64
>> 21:29:30.033316 IP6 fe80::f816:3eff:feb3:bd56 >
>> fe80::f816:3eff:fe0e:17c3: ICMP6, neighbor solicitation, who has
>> fe80::f816:3eff:fe0e:17c3, length 32
>> 21:29:30.035807 IP6 fe80::f816:3eff:fe0e:17c3 >
>> fe80::f816:3eff:feb3:bd56: ICMP6, neighbor advertisement, tgt is
>> fe80::f816:3eff:fe0e:17c3, length 24
>> 21:29:30.353646 IP6 fd12:67:1:1:f816:3eff:fe0e:17c3 > fd12:67:1::1:
>> ICMP6, echo request, seq 1, length 64
>> 21:29:31.355410 IP6 fd12:67:1:1:f816:3eff:fe0e:17c3 > fd12:67:1::1:
>> ICMP6, echo request, seq 2, length 64
>> 21:29:32.357239 IP6 fd12:67:1:1:f816:3eff:fe0e:17c3 > fd12:67:1::1:
>> ICMP6, echo request, seq 3, length 64
>>
>> The same happens from hypervisor to VM. I only acan see the request
>> packets, but no reply packets.
>>
>> Thanks in advance,
>> Lucio Seki
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20190913/385eb74e/attachment-0001.html>

Open Stack

[neutron] DevStack with IPv6

OpenStack

Community

Documentation

Branding & Legal